SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #44

June 04, 2013

TOP OF THE NEWS

Congressional Hearing Today To Uncover Failure of U.S. Cybersecurity Accreditation Programs
Judge Says Google Must Comply with National Security Letters

THE REST OF THE WEEK'S NEWS

Oracle Enumerates Plans to Improve Java Security
France Eliminates Threat of Severing Internet Connection From Anti-Piracy Law
Maine Lawmakers Pass Bill Requiring Warrant for Cell-Phone Tracking
EFF Challenges Including of DRM in HTML5 Specifications Draft
Multi-Factor Authentication May Someday be Available As Tattoos and Pills
New Zealand Police Ordered to Return Certain Seized Property to Kim Dotcom
BT Drops Yahoo as eMail Partner After Rise in Account Hijackings
Bradley Manning Trial Begins
Man Drops Lawsuit Over Seized Laptop

---

************************** SPONSORED BY Invincea ***********************
Watering hole, spear-phishing and drive-by download attacks -these attacks work because the bad-guys are using zero-days and polymorphic techniques to bypass your endpoint security controls. Invincea has emerged as a zero-day killer at the endpoint. See how they detected and killed a watering hole attack using a Dept. of Labor website to push an IE-8 zero day - http://www.sans.org/info/132097
***************************************************************************
TRAINING UPDATE

- -- Industrial Control System (ICS) Security Training In-depth, hands-on technical courses taught by top SCADA experts. Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Leave the event with solutions that you can immediately put to use in your organization.

--Houston, TX (June 10-June 15)
http://www.sans.org/event/scada-training-houston-2013

--Washington, DC (August 12-August 16)
http://www.sans.org/event/ics-security-training-washington-dc


- -- SANSFIRE 2013 Washington, DC June 14-22, 2013 43 courses. Bonus evening sessions include Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants; and Automated Analysis of Android Malware.
http://www.sans.org/event/sansfire-2013


- -- Security Impact of IPv6 Summit Washington, DC June 14-16 Held in conjunction with SANSFIRE 2013, the Security Impact of IPv6 Summit offers discussions and panels with IPv6 security experts, ISPs, early adopters, and industry vendors. You will come away with best practices from those who have already implemented IPv6. A two-day, post-summit class follows:
http://www.sans.org/event/ipv6-summit-2013/course/ipv6-essentials">http://www.sans.org/event/ipv6-summit-2013/course/ipv6-essentials
http://www.sans.org/event/ipv6-summit-2013


- -- SANS Rocky Mountain 2013 Denver, CO July 14-20, 2013 10 courses. Bonus evening sessions include OODA - The Secret to Effective Security in Any Environment; and APT: It is Not Time to Pray, It is Time to Act.
http://www.sans.org/event/rocky-mountain-2013


- -- SANS San Francisco 2013 San Francisco, CA July 29-August 3, 2013 7 courses. Bonus evening sessions include Offensive Digital Forensics; and Base64 Can Get You Pwned!
http://www.sans.org/event/san-francisco-2013


- -- SANS Boston 2013 Boston, MA August 5-10, 2013 9 courses. Bonus evening sessions include Cloud R and Forensics; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/boston-2013


- -- SANS Virginia Beach 2013 Virginia Beach, VA August 19-30, 2013 10 courses. Bonus evening presentations include Thanks for Recovering ... Now I Can Hack You!; Everything I Know is Wrong!; and APT: It is Time to Act.
http://www.sans.org/event/virginia-beach-2013


- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013 Europe's only specialist pen test training and networking event. Four dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013


- -- SANS London Summer 2013 London, UK July 9-July 16, 2013 5 courses. SANS has added a new London date to the security-training calendar, giving security professionals the opportunity to take one of four of SANS' most popular 6-day courses and the excellent 2 day Securing The Human course.
http://www.sans.org/event/london-summer-2013


- -- Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- -- Looking for training in your own community?
http://www.sans.org/community/


- -- Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/specials

Plus Canberra, Austin, Mumbai, Bangkok and Melbourne all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org
*****************************************************************************

---

TOP OF THE NEWS

Congressional Hearing Today To Uncover Failure of U.S. Cybersecurity Accreditation Programs (June 4, 2013)

The U.S. government's entire cybersecurity program will come under a bright spotlight this afternoon in a hearing before the Oversight and Investigations Subcommittee of the House Veterans Affairs Committee. The hearing was triggered by a letter to Congress in late January, from Department of Veterans Affairs Deputy Assistant Secretary for Information Security (DAS IS), Jerry Davis, saying "I attest, as the DAS IS, that there is a clear and present danger and risk of exposure and compromise of sensitive data for perhaps hundreds of thousands to millions of veteran[s]; all facilitated by coercion, intimidation and an improper process executed to assess system security." The system used at VA is based on NIST guidance and is nearly identical to that used at DHS and other civilian agencies as well as at DoD. If Davis's concerns are proven accurate, NIST's accreditation model will need to be thrown away and a better system will be needed in its place.
-http://www.federalnewsradio.com/538/3344870/VAs-security-shortcuts-put-millions-
of-veterans-data-at-risk-former-VA-cyber-official-alleges

Judge Says Google Must Comply with National Security Letters (May 31 & June 3, 2013)

A federal judge in California has denied Google's request to modify or nullify 19 National Security Letters (NSLs). US District Judge Susan Illston ordered Google to comply with 17 of the letters after FBI officials submitted secret affidavits and has asked that the government "provide further information" about the other two before she makes a decision about them. In March, Judge Illston ruled that NSLs are unconstitutional because "the non-disclosure provision ... violates the First Amendment." The US government has appealed that ruling. Illston's noted that her most recent ruling was made because Google had provided broad arguments as to why the letters should be thrown out or modified, and suggested that Google try again with "specific
[information ]
to the 19 NSLs at issue." National Security Letters allow the FBI and the US Department of Justice (DOJ) to request information about individuals from telecommunications companies; the vast majority of the letters also impose a gag order, so that the company from which the information is requested cannot acknowledge the letter's existence, and the person whose information is requested cannot challenge the order. The NSLs can be served without judicial oversight.
-http://news.cnet.com/8301-13578_3-57587003-38/judge-orders-google-to-comply-with
-fbis-secret-nsl-demands/
-http://www.zdnet.com/google-fails-to-strike-down-fbis-secret-gagging-orders-desp
ite-constitutionality-concerns-7000016185/
-http://www.infosecurity-us.com/view/32720/google-must-comply-with-nsls-says-judg
e/
March Decision:
-http://www.wired.com/threatlevel/2013/03/nsl-found-unconstitutional/

---

*************************** Sponsored Links: ******************************
1) Free Gartner report on why magic quadrant leadership for NAC is crucial for your company. http://www.sans.org/info/132102

2) ALERT: 2013 Website Attack Report- Webinar: Top 10 Vulnerabilities- Data Correlated from Thousands of Websites. http://www.sans.org/info/132117

3) Attend the SANS Industrial Controls Systems Security Briefing, Monday, June 10, 2013 in Houston, TX at the Westin Houston Memorial City. Featuring Mike Assante, Eric Cornelius, Lior Frenkel, Bart Pestarino and Jonathan Knudsen. This event is free to Oil & Gas constituents. For more information go to http://www.sans.org/info/132107 To register for this event via simulcast, visit http://www.sans.org/info/132112
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Oracle Enumerates Plans to Improve Java Security (June 3, 2013)

Oracle has outlined three initiatives to improve Java security. First, starting in October 2013, the company will incorporate security updates for Java into its scheduled quarterly Critical Patch updates; currently, Java updates are currently released three times a year. Second, Oracle plans to add Local Security Policy features to Java to give administrators "additional control over security policy settings during Java installation and deployment." And third, "Oracle will explore stronger measures to further reduce attack surface including the removal of certain libraries typically unnecessary for server operation." These changes will be incorporated at a later date, as they "would violate current Java specifications."
-http://www.h-online.com/security/news/item/Oracle-sets-out-future-Java-security-
plans-1875125.html
-http://www.theregister.co.uk/2013/06/03/oracle_java_security_improvement_plan/
-http://www.informationweek.com/security/application-security/oracle-promises-ent
erprise-java-security/240155912
-http://www.zdnet.com/oracle-outlines-steps-to-improve-java-home-enterprise-secur
ity-7000016121/
-http://www.computerworld.com/s/article/9239670/Oracle_reveals_plans_for_Java_sec
urity_improvements?taxonomyId=17
-https://blogs.oracle.com/security/entry/maintaining_the_security_worthiness_of

France Eliminates Threat of Severing Internet Connection From Anti-Piracy Law (June 3, 2013)

France has removed the threat of cutting off users' Internet connections from Hadopi, its anti-piracy law. The law had established a system of graduated warnings and penalties, with the most severe being the severing of repeat offenders' Internet connections. France's digital minister Fleur Pellerin said that "it is not possible to cut off someone's Internet access," comparing it to "cutting off someone's water." The change comes from a 600-page government document known as the Lescure Report that includes analysis of Hadopi and makes recommendations for the law and digital policy. The report recommends that the Hadopi agency be dissolved and that the law be administered through the Superior Audiovisual Council, the French media regulator. It also recommends imposing a one percent tax on all connected devices.
-http://arstechnica.com/tech-policy/2013/06/france-removes-internet-cut-off-threa
t-from-its-anti-piracy-law/

Maine Lawmakers Pass Bill Requiring Warrant for Cell-Phone Tracking (June 3, 2013)

Maine's State Legislature has approved a bill that would require law enforcement to obtain a warrant from a court to access individuals' cell-phone location data. If the bill becomes law, Maine would be the first state to impose such a requirement. The bill provides exceptions for emergencies, such as life or death situations or threats to national security. Law enforcement would also be required to notify people whose information was obtained within three days, but the time requirement can be delayed up to 90 days if a judge deems there is evidence that earlier disclosure could pose a threat to an investigation.
-http://www.computerworld.com/s/article/9239749/Maine_may_be_first_state_to_requi
re_a_warrant_for_cell_phone_tracking?taxonomyId=17
[Editor's Note (Murray): A warrant is the difference between investigation and surveillance. ]

EFF Challenges Including of DRM in HTML5 Specifications Draft (May 31, 2013)

The Electronic Frontier Foundation (EFF) has registered a formal complaint with the World Wide Web Consortium (W3C) regarding the proposed inclusion of digital rights management (DRM) in a draft of HTML5 specifications. The EFF maintains that the DRM technology, which is called the Encrypted Media Extension (EME), will erode online freedom. The EFF says that "existing web standards already permit equivalent functionality."
-http://www.theregister.co.uk/2013/05/31/eff_objects_drm_html5_with_w3c/
-http://www.networkworld.com/news/2013/053113-eff-html5-270357.html
EFF's Complaint:
-https://www.eff.org/pages/drm/w3c-formal-objection-html-wg

Multi-Factor Authentication May Someday be Available As Tattoos and Pills (May 31, 2013)

Motorola Mobility has demonstrated two authentication technologies that remove the need for people to carry around devices for two-factor authentication. The first is an electronic tattoo, a flexible, water-resistant sticker that lasts for several days. The second is a capsule that people can swallow daily. Its components are activated by stomach acids to emit a signal. Motorola said that the US Food and Drug Administration (FDA) has cleared the pill authentication technology for human use.
-http://arstechnica.com/security/2013/05/someday-you-may-ditch-your-two-factor-au
thenticator-for-an-electronic-tattoo/
-http://www.v3.co.uk/v3-uk/news/2272086/motorola-execs-show-off-tattoo-and-pill-a
uthentication-technologies
-http://www.theregister.co.uk/2013/05/31/motorola_tattoo_pill_authentication/
[Editor's note (Northcutt): Pills as two factor auth? Did the entire research staff at Motorola fail to watch the bug removal scene in the Matrix?]

New Zealand Police Ordered to Return Certain Seized Property to Kim Dotcom (May 31, 2013)

The High Court of New Zealand has ruled that the warrants used to seize evidence, including computers, hard drives, and documents, in a January 2012 raid on the home of Megaupload founder Kim Dotcom were illegal and that New Zealand police must provide Dotcom with copies of all relevant evidence in their possession. They must also return all evidence that the court has deemed not relevant to the case.
-http://news.cnet.com/8301-1009_3-57587026-83/kim-dotcom-wins-access-to-seized-pr
operty-from-2012-raid/
-http://www.bbc.co.uk/news/technology-22716718
-http://arstechnica.com/tech-policy/2013/05/kim-dotcom-raid-yielded-miscarriage-o
f-justice-nz-judge-rules/
-http://www.computerworld.com.au/article/463375/nz_ordered_return_some_seized_mat
erial_kim_dotcom/?fp=4&fpid=1398720840

BT Drops Yahoo as eMail Partner After Rise in Account Hijackings (May 30 & 31, 2013)

UK telecommunications company BT has dropped Yahoo as its email provider following a growing number of customer complaints that their accounts were hijacked and used to send spam. Yahoo has been BT's partner for subscriber email accounts. BT plans to move all six million accounts to its new BT Mail platform, which will be hosted by Critical Path. The accounts were vulnerable because Yahoo administrators had not applied a patch in the WordPress content management system that supported one of its blogs.
-http://arstechnica.com/security/2013/05/yahoo-mail-reportedly-loses-key-customer
-following-mass-hack-attack/
-http://www.zdnet.com/uk/bt-dumps-yahoo-mail-after-account-hijack-claims-70000161
79/
-http://www.telegraph.co.uk/finance/newsbysector/epic/btdota/10089355/BT-dumps-Ya
hoo-email-after-hacking-claims.html

Bradley Manning Trial Begins (June 3, 2013)

The court-martial of Army Pfc. Bradley Manning for offenses related to the leak of classified information has begun. Manning, who has been detained since his 2010 arrest, allegedly gave more than 700,000 government and military documents to WikiLeaks. Among the 22 charges Manning faces is a count of aiding the enemy, which could bring a life sentence without the chance of parole.
-http://www.washingtonpost.com/world/national-security/bradley-manning-court-mart
ial-opens/2013/06/03/9c65ea48-cc51-11e2-8f6b-67f40e176f03_story.html
-http://www.washingtonpost.com/world/national-security/bradley-manning-leak-trial
-set-to-open-monday-amid-secrecy-and-controversy/2013/06/01/b2bad2fa-c93a-11e2-9
f1a-1a7cdee20287_story.html

Man Drops Lawsuit Over Seized Laptop (May 29, 2013)

A man whose laptop was seized by the US Department of Homeland Security (DHS) has dropped his lawsuit challenging the seizure. David Maurice House filed a lawsuit in May 2011, alleging that the seizure was motivated by his association with Bradley Manning. House was a founding member of the Bradley Manning Support Network. Data related to that organization, including donor information, were on the seized laptop. House said that the government has agreed to delete any copies of the data from his machine that it has made, and will give him notes agents made about the hard drive. DHS's Department of Immigration and Customs Enforcement (ICE) seized the laptop, along with a thumb drive and a digital camera, when House returned from a trip to Mexico in November 2010. The equipment was kept for 49 days; regulations call for the equipment to be returned within 30 days.
-http://www.wired.com/threatlevel/2013/05/lawsuit_dropped/
[Editor's Note (Shpantzer): Moving across borders can be disruptive and expensive if border agents decide to seize your equipment. If you didn't back up your laptop to a trusted service (I like SpiderOak) or to external media that isn't crossing the border with your laptop, then you are at some risk for an availability hit. ]

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/